1 / 36

Structured Encryption and Controlled Disclosure

Structured Encryption and Controlled Disclosure. Melissa Chase Seny Kamara Microsoft Research. Cloud Storage. Security for Cloud Storage. Main concern: will my data be safe? it will be encrypted it will be authenticated it will be backed up access will be controlled …

derora
Download Presentation

Structured Encryption and Controlled Disclosure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Structured Encryption and Controlled Disclosure Melissa Chase Seny Kamara Microsoft Research Asiacrypt '10

  2. Cloud Storage Asiacrypt '10

  3. Security for Cloud Storage • Main concern:will my data be safe? • it will be encrypted • it will be authenticated • it will be backed up • access will be controlled • … • Security only vs. • outsiders • other tenants • Q: can we provide security against the cloud operator? Asiacrypt '10

  4. Confidentiality in Cloud Storage • How do we preserve confidentiality of data? • Encryption! • What happens when I need to retrieve my data? • e.g., search over emails or pictures Asiacrypt '10

  5. Searchable Symmetric Encryption [Song-Wagner-Perrig01] Asiacrypt '10

  6. Related Work • General-purpose • Two-party computation[Yao82] • Oblivious RAMs [Goldreich-Ostrovsky96] • Fully-homomorphicencryption [Gentry09] • interactive or search is O(|data|) • Searchable encryption • [SWP01,Goh03,Chang-Mitzen.05,Boneh-diCrescenzo-Ostrovsky-Persiano04,…]: 1 round & O(#docs) server computation • [Curtmola-Garay-K-Ostrovsky06]: 1 round & O(# of docs w/ word) server computation • Functional encryption [Boneh-Sahai-Waters10] Asiacrypt '10

  7. Limits of Searchable Encryption • Private keywordsearch over encrypted text data • Q: can we privately query other types of encrypted data? • maps • image collections • social networks • web page archives Asiacrypt '10

  8. Graph Data • Communications • email headers, phone logs • Networks • Social networks • Web crawlers • Maps Asiacrypt '10

  9. Structured Encryption t Asiacrypt '10

  10. Our Results • Structured Encryption • Formal security definition • simulation-based • Constructions • Graph encryption with adjacency queries • Graph encryption with neighbor queries • Web graph encryption with focused subgraph queries • Controlled disclosure • Application to cloud-based data brokering Asiacrypt '10

  11. Structured Encryption Asiacrypt '10

  12. Structured Data • Social network = Graph + Profiles Asiacrypt '10

  13. Structured Encryption t Asiacrypt '10

  14. CQA2-Security • Security against adaptive chosen query attacks • generalizes CKA2-security from [CGKO06] • Simulation-based definition • ``given the ciphertext and the tokens no adversary can learn any information about the data and the queries, even if the queries are made adaptively” • Too strong • e.g., SSE constructions leak some information • access pattern: pointers to documents that contain keyword • search pattern: whether two tokens were for the same keyword Asiacrypt '10

  15. CQA2-Security • Security is parameterized by 2 stateful leakage functions • Simulation-based definition • ``given the ciphertext and the tokens no adversary can learn any information about the data and the queries other than what can be deduced from the L1andL2leakages…” • “…even if queries are made adaptively” Asiacrypt '10

  16. Leakage Functions • 2 leakage functions • L1: leakage about data items • L2: leakage about data items and queries • Previous work on SSE -- except [Goldreich-Ostrovsky96] • L1: number of items and length of each item • L2: access pattern and search pattern • This work: • L1: number of items and length of each item • L2: intersectionpattern and query pattern • intersection pattern access pattern Asiacrypt '10

  17. CQA2-Security Real World Ideal World L1 ?$&$#&$#&$s!l) q q ,q L2 t t Asiacrypt '10

  18. Adaptiveness • Simulator “commits” to encryptions before queries are made • requires equivocation and some form of non-committing encryption • Lower bound on token length [Nielsen02] • (w/o ROs) • n: # of data items • : # of relevant items • All our constructions achieve lower bound Asiacrypt '10

  19. Constructions Asiacrypt '10

  20. Constructions • Graph encryption with adjacency queries • from matrix encryption with lookup queries • Graph encryption with neighbor queries • from text encryption with keyword search (i.e., SSE) • Web graph encryption with focused subgraph queries • from text encryption with keyword search • from graph encryption with neighbor queries Asiacrypt '10

  21. Neighbor Queries on Graphs t Asiacrypt '10

  22. Neighbor Queries on Graphs • Building blocks • Dictionary (i.e., key-value store) • Pseudo-random function • Non-committing symmetric encryption • PRF + XOR tokens are as long as query answer • RO + XOR tokens are as long as security parameter Asiacrypt '10

  23. Neighbor Queries on Graphs 2 1 … … 4 3 t = & K Asiacrypt '10

  24. FSQ on Web Graphs • Web graphs • Text data -- pages • Graph data --- hyperlinks • Simple queries on web graphs • All pages linked from P • All pages that link to P • Complex queries on web graphs • ``mix” both text and graph structure • search engine algorithms based on link-analysis • Kleinberg’s HITS [Kleinberg99] • SALSA [LM01] • … Asiacrypt '10

  25. Focused Subgraph Queries • HITS algorithm • Step 1: compute focused subgraph • Step 2: run iterative algorithm on focused subgraph Singapore Asiacrypt '10

  26. FSQ on Encrypted Graphs • Encrypt • pages with SE-KW • graph with SE-NQ • does not work! • Chaining technique • combineSE schemes (e.g., SE-KW with SE-NQ) • preserves token size of first SE scheme • Requires associative SE • message space: private data items and semi-private information • answer: pointers to data items + associated semi-private information • [Curtmola-Garay-K-Ostrovsky06]: associative SSE but not CQA2 Asiacrypt '10

  27. FSQ on Web Graphs t Asiacrypt '10

  28. FSQ on Web Graphs Asiacrypt '10

  29. FSQ on Web Graphs 1 1,3 2 3 4 (4, Asiacrypt '10

  30. Controlled Disclosure Asiacrypt '10

  31. Limitations of Structured Encryption • Structured encryption • Private queries on encrypted data • Q: what about computing on encrypted data? • Two-party computation • Fully-homomorphic encryption • 2PC & FHE don’t scale to massive datasets (e.g., Petabytes) • Do we give up security? Asiacrypt '10

  32. Controlled Disclosure • Compromise • reveal only what is necessaryfor the computation • Local algorithms • Don’t need to ``see” all their input • e.g., simulated annealing, hill climbing, genetic algorithms, graph algorithms, link-analysis algorithms, … Colleagues Family Asiacrypt '10

  33. Controlled Disclosure q t f Asiacrypt '10

  34. Cloud-based Data Brokerage • Microsoft Azure Marketplace • Infochimps Asiacrypt '10

  35. Secure Data Brokerage • Producer • accurate count of data usage • Collusions b/w • Cloud • Consumer Asiacrypt '10

  36. Questions? Asiacrypt '10

More Related